Categories
Tags
/ 2fa ab aboutme Access access Access-Control access-control access-management Active Directory active directory Active Response Active-Directory active-directory Active-Response active-response ActiveX actix-web ad-blocking administration admission-control adr advanced-devops Advanced-Logging Agent-Deployment Agent-Management agile ai AI AI Agents AI Development AI-Automation ai-integration AI-Marketing AI-Sales AI-security AI-Security ai-translation airtable alarms Alert-Enrichment alerting Alerts Alpine-Linux amplitude amtd analysis Analytics analytics Android anomaly-detection ansible Anti-Bot Apache api API API Security api-client api-design api-gateway api-management api-security AppArmor apparmor apple Apple-Intelligence Apple-security applescript application-security applications APS APT-attacks arch-linux Architecture architecture architecture-patterns argocd Artificial-Intelligence asgi assemblyscript astro-ai async Async asynchronous athena ATL attack-detection Attack-Mitigation attack-patterns Attack-Prevention attestation Audio audio Audit-Logging Auditd auth0 authentication Authentication authentication-security Authorization authorization auto-reboot automation Automation autoscaling aws AWS AWS-Bedrock AWS-Lambda awslambda aya Aya azure Azure azure-ad backend background-services backstage Backup backup bare-metal baselining bash basics bcc behavioral-analysis benchmarking Best Practices best-practices Best-Practices BestPractices bgp Big-Data big-data bind-mounts biometric-security blacklist blog-platforms Blogging blue-green Blue-Team blue-team bluechi bochs borrowing Bot-Management bot-management Bot-Protection boto3 bpftrace broadcom browser Brute-Force brute-force build build-configuration business-intelligence busybox BYOD c C Programming C++ caching caddy calico Campaign-Management canary CAPTCHA career Career CASB cdc CDN cdn centos certificate-authority Certificate-Management certificates Cgroups Chainsaw Change-Management chartmuseum Chatbot chatbot ChatGPT chatops check_wmi_plus choreography chrome CI-CD ci-cd CI/CD cicd cilium circuit-breaker CIS cis cis-benchmark cka Claude claude-3-opus claude-code Claude-Haiku cleanup cli cli-tools ClickHouse clickhouse client-go cloud cloud-computing cloud-native Cloud-Native cloud-providers cloud-security Cloud-Security Cloud-Storage cloud-storage Cloudflare cloudflare cloudflared cloudformation cloudfront CloudNative cloudrun cloudwatch cluster cluster-deployment cluster-health cluster-management cluster-setup cmd CMMC cni cocktails code management code-generation collaboration columnar COM Command-Module communication communication-patterns community compensation compliance Compliance Component-Development Compose Compression compression compute computer-vision conference-translation confidential-computing configmaps configuration configuration-management consul container Container Orchestration Container-Architecture container-management Container-Orchestration container-orchestration container-runtime Container-Security container-security Containerd containerization Containerization containers Containers content-automation content-generation Content-Marketing contextual-translation continuous-improvement contract-testing controller controller-manager Controllers cookiecutter cooking coredns coreos Coroutines Correlation correlation correlation-rules cors cosmopolitan Cost Optimization Cost-Optimization cost-optimization cpp CPU-Monitoring cqrs crawler CRD crd CRI cri-o CRM cronjob cronjobs cross-account cross-cloud Cross-Cluster-Search Cross-Platform Crypto-Mining CryptoAPI Cryptography cryptography csharp css custom linux custom-decoders Custom-Rules Customer-Success customization Customization CVE-2025-31200 CVE-2025-31201 cyber-threats cybersec cybersecurity Cybersecurity d1 D1-Database d1-database daemonsets dashboard dashboards Data-Analysis data-analysis data-analytics data-architecture data-breach data-catalog data-channels data-consistency data-fetcher Data-Filtering data-governance Data-Lake data-management data-masking data-migration data-normalization Data-Pipeline data-pipeline data-prepper data-processing data-protection Data-Protection data-recovery Data-Residency data-warehouse database DataBinding datasette dba DDoS-Protection ddos-protection debian debugging Decoders decoders decoupling deepl-voice deepseek-r1 defense defensive-security Demo deno dep deployment Deployment design-patterns Desktop-Development desktop-development detection detection-accuracy Detection-Engineering Developer Tools developer-portal developer-portals development Device Drivers Device-Monitoring devops DevOps devops-culture devops-journey devsecops DevSecOps devtools devtron DFIR diagrams Digital-Forensics digital-payments Digital-Signatures digital-transformation digitalocean Direct2D Direct3D DirectShow DirectX disaster-recovery discord discovery disk-encryption Disk-Monitoring disk-provisioning Distributed Systems Distributed-Security distributed-security distributed-systems distributed-transactions distro distrobox django dkim DLP dmarc dnf dns docker Docker document-processing documentation DoD domain domain-administration Domain-Controller domain-driven-design dotnet DPAPI duckdb dx-operational-observability DynamicClient dynamodb e-payment eBPF ebpf ec2 ECS ecs edge-ai edge-computing Edge-Database edge-devices edge-functions edge-security EDR edr eks elastic-alternative Elastic-Stack elasticache Elasticsearch elasticsearch electron elgato elk-stack Email email Email-Automation email-automation Email-Marketing embedded linux embedded-systems Embeddings Encryption encryption Endpoint-Monitoring Endpoint-Protection endpoint-protection Endpoint-Security endpoint-security Engineering Enterprise enterprise Enterprise Security Enterprise-Architecture enterprise-architecture enterprise-integration enterprise-security Enterprise-Security environment-variables envoy EPS error-handling etcd ETL etl ETW eureka Event-Channel event-correlation event-driven event-driven-architecture Event-Logs event-monitoring Event-Monitoring event-sourcing event-streaming Event-Tracing EVTX-Analysis Example exif exploit-mitigation exploit-prevention exploitation falco Fargate fargate fault-tolerance feature-flags federation fedora fedora-coreos ffmpeg FIDO2 File Integrity file-integrity File-Integrity-Monitoring file-integrity-monitoring file-transfer filebeat FileVault FIM financial-security fintech fips-203 Firecracker firefox firehose Firewall firewall Firewall-Monitoring Flow fluentbit Fluentd flux fly forensics Forensics ftp FTP full-stack functions fundamentals future-translation gainsaheb Gatekeeper Gateway gateway gcp GCP gcs GDI32 gemini-2.5 general gis git github github-actions GitHub-Actions gitlab GitOps gitops global-delivery Global-Distribution glue gmail Go go golang google google-authenticator google-cloud google-sheets googlecloud governance GPO gpt GPT-4 gpt-4o gpt3 grafana graph-api graphical interface Graphics API graphql GraphQL group-policy grpc gui guide hacker-news Hadoop ham-radio hardening hardware hardware-security hashicorp HDFS health-checks health-probes helm helm-charts heroku High-Availability high-availability high-risk-security Hilt hirte Historical-Analysis history homebrew homelab hpa html HTTP http http3 https httpx HubSpot hugo hybrid-cloud hybrid-quantum-classical Hydra I/O-Optimization iac iam icinga ics ide Identity identity identity management identity-governance identity-management IDS ignition IIS imagemagick Implementation in-memory Incident Response Incident-Response incident-response index index-management indexer industrial-iot industrial-security Infopercept infrastructure Infrastructure Infrastructure-as-Code infrastructure-as-code Infrastructure-Monitoring ingress installation instrumentation Integration integration Integration Testing integration-testing internet introduction intrusion-detection intrusion-prevention inventory Invinsense IOCs IOKit ios iOS-development iOS-security iot IPS isa Isolation istio IT-security iterators IUnknown jamstack jasmin java javascript JavaScript jenkins jest Jetpack Jetpack Compose jinja Journald jq json jsonpath jupyter jwt JWT k8s Kafka kafka kannel kaslr Kata-Containers keepalive Kerberos kernel Kernel Kernel Programming Kernel-Tuning Kernel32 keycloak Kibana KIND kinesis kiota Kotlin kprobe kpti kubeadm Kubebuilder kubectl kubernetes Kubernetes kustomize KVM kyber labels lambda LangChain language-processing large-language-models lattice-cryptography launchd LDAP Lead-Generation learning Legacy Code legacy-systems libvirt lightsail lightweight distro linkding Linux linux linux development linux from scratch linux kernel linux kernel compilation linux system Linux-Kernel linux-kernel Linux-Security linux-security LiveData liveness lkl Llama3 llm LLM llm-translation llms load-balancing Lockdown-Mode log Log-Analysis log-analysis Log-Analytics Log-Collection log-ingestion Log-Management log-management log-parsing Log-Processing LogcatUDP logging logs Logstash Logwatch low-latency LSM lsm lunarvim MAC Machine Learning machine-learning Machine-Learning machine-translation machinelearning macOS macos macOS-development macOS-security Maintenance malware Malware Malware Analysis malware-analysis Malware-Detection malware-detection malware-protection managed-database management manifest maps Markdown markdown Marketing-Automation master-keys mastodon MCP MDM mdm Media Foundation Media-Storage mediawiki memcached Memory Management Memory Protection Memory-Management memory-management Memory-Monitoring memory-safety mermaid message-queue messaging metrics metrics-server MFA mfa micro-segmentation micromdm microservices Microservices Microsoft microsoft microsoft-copilot microsoft-graph microsoft-kiota MicroVM microwindows midjourney Migration migration Migrations MikroTik minimalistic os minio misc MISP mitigation ml-kem mobile-device-management mobile-security Mobile-Security monitoring Monitoring morphisec MSI MSSP mtls Multi-Agent Systems Multi-Cloud Multi-Cluster multi-cluster Multi-Service Multi-Site Multi-Tenancy multi-tenancy multi-tenant multilingual-blogs Multimedia multimodal-ai multipass musl MVVM mysql n8n nagios Namespaces nano-x Native-Development NATS nats Navigation neovim netdata netflix Network network-access network-correlation Network-Monitoring Network-Performance Network-Scanning network-security Network-Security Networking networking neural-machine-translation neural-networks neuvector nextjs-ai nfs nginx nlp Nmap No-Code no-code node node-affinity node-exporter Node.js nodejs noisy-neighbors nosql Notifications notifications npm NSO-group NTLM oauth oauth2 OAuth2 Object-Storage object-storage objective-c observability observable observable-plot ocr OCSF offensive-security oidc OLE Ole32 Ollama open source OpenAI openai openapi OpenSearch opensearch openssh openssl OpenSSL opentelemetry openvpn operating system operating-systems Operations Operators operators OperatorSDK Optimization optimization oracle oracle23c orchestration Orchestration organizational-charts OSSEC ot-ics overture-maps owasp ownership OXDR p2p P2P package-management packaging packet-capture packet-processing pact pages pagination partitioning passkeys passwordless patterns PCI-DSS pdf PDF-Reports peer-to-peer Pegasus-protection penetration-testing Performance performance Performance-Optimization performance-optimization permissions persistentvolumeclaims persistentvolumes personalization php pihole pipeline Pipeline-Management pixelmator pixie PKI pki Platform Development platform-engineering playwright pluggy plugin plugins pmp PnP pod-security podman pods Policy-Monitoring polyglot-persistence post-quantum-cryptography Postfix postgresql PowerShell powershell presenting pricing Privacy privacy-controls privacy-engineering privacy-protection Private-Cloud-Compute Privileged-Access process-exporter Process-Monitoring Process-Supervision processor Production production Production-Deployment Production-Setup Productivity productivity Programming programming project-management prometheus protocols proxy pub-sub purpleair push-notifications pyodide pypi pytest Python python qemu quadlet quadlets quality-assurance quantum-acceleration quantum-ai quantum-algorithms quantum-computing quantum-nlp quantum-resistant quarto Query-Language queues quic R2 r2 r2-storage rabbitmq RAG ransomware Rate-Limiting rate-limiting RBAC rbac rdp rds react readiness readthedocs Real-time real-time Real-time Analytics real-time-analytics real-time-translation red-team reddit redis redshift Refactoring reference Regex Remote Management remote-access Remote-Commands Remote-Logging ReplicaSet repository management resilience resilience4j resource-management Resource-Monitoring resources REST rest-api restore Revenue-Operations risc-v risk-management rocky-linux roles rolling-updates Room Rootcheck rootkit rootless route53 Router routing rpki rpm-ostree rsyslog rule-engine Rules rules runtime-protection Runtime-Security RuntimeClass Rust rust s3 S3-Compatible s3-compatible s6-overlay safari safety-critical saga-pattern Sales-Automation Salesforce sandboxed-execution SASE Scalability scalability scaling sched_ext scheduler scheduling scim Screen-Sharing screen-sharing scripting sdk-development sdk-generation sdlc seamlessm4t search search-engine Seccomp secrets secrets-management secure-boot secure-coding secure-enclave security Security Security Architecture Security Monitoring Security Platform Security-Analysis security-analytics Security-Analytics security-architecture Security-Architecture Security-Auditing Security-Automation security-commands security-data-lake Security-Framework Security-Hardening security-implementation Security-Management security-monitoring Security-Monitoring security-operations Security-Operations Security-Orchestration security-patches security-platform security-tools security-trends security-updates selenium selinux SEO seo seo-optimization server-setup serverless Serverless service mesh service-accounts service-discovery service-mesh service-workers ServiceAccounts Services Shaders sharing Shell shell shell-configuration Shell-Extensions shell-scripting shellcode shot-scraper Shuffle SIEM siem signaling SilkETW simultaneous-interpretation single-node sinkhole site-speed slack smack smallstep smpp SMS sms-gateway SMTP smtp snapshot snort sns SOAR SOC soc Social-Media software development software-testing spark spatialite speech-translation spf sphinx spiffe spire spreadsheet spring-boot spyware-protection SQL sql sql-server SQLite sqlite sqs squarespace SRE sre SSH ssh SSH-security ssl SSL/TLS starship State Management StateFlow static-sites statistical-analysis stepca storage Storage-Optimization storageclass Streaming streaming STUN subnets suricata svg Swift swift sysadmin Syslog syslog Sysmon sysmon System Architecture System Development System Management system services System-Administration system-administration System-APIs System-Audit system-calls system-design system-extension System-Health system-integrity system-maintenance System-Programming System-Security systemd systems-programming tailscale taints targeted-attacks TCC TCP tcp team-collaboration telegram templates Tenzir terminal terminal-services terraform tesseract testcontainers testing Testing tetragon textract threading Threat Detection Threat Hunting Threat Mitigation Threat-Detection threat-detection threat-hunting Threat-Hunting threat-intelligence Threat-Intelligence threat-landscape threat-modeling tiktok tinyemu tls TLS toast-notifications token-flow tokio Tokio tolerations tomcat tools tpm tracee tracing Traffic-Analysis traffic-routing troubleshooting trusted-execution tunnel tunneling tunnels turing TURN Turnstile Tutorial tutorial twitter typescript Ubuntu ubuntu udev UDP udp UI ui UI Testing ULS Unified-Logging uninstallation unisolation Unit Testing unix utilities upgrade uprobes usb-control USB-Monitoring Use Cases use-cases user accounts User-Experience user-experience User-Mode user-session User32 utm-stack valtown vault Vector-Database vega version control Version-Control version-control Video video video-chat ViewModel vim Virtualization virtualization VirusTotal Visual-Studio Visualization visualization vmware volumes vpc vpn vpn-replacement vscode vsftp vulnerabilities vulnerability vulnerability-analysis Vulnerability-Assessment vulnerability-detection Vulnerability-Management vulnerability-scanning WAF waf WARP warp WASAPI wasi wasm Wazuh wazuh web Web Development web-acceleration web-components web-development web-filtering web-infrastructure web-performance Web-Security web-security web-servers webassembly WebAuthn webauthn webhooks webrtc WebRTC websockets white-labeling wikipedia Win32 Windows windows windows admin center Windows API Windows SDK Windows Security Windows Server 2019 Windows Services windows updates windows-10-iot Windows-API windows-api Windows-Firewall Windows-Forensics windows-monitoring Windows-SDK Windows-Security windows-security winexe winrt WinSock WMI wmi wordpress worker-nodes Workers workers Workflow workflow Workflow-Automation workload-identity WQL xdp XDP XDR xdr xpc XProtect xprotect yaml YARA youtube zeit-now zero-copy zero-day zero-trust Zero-Trust zsh ztna
68 words
1 minute
Safely outputting JSON
Safely outputting JSON#
Carelessly including the output of json.dumps() in an HTML page can lead to an XSS hole, thanks to the following:
1>>> import json2>>> s = "</script><script>alert(document.location)</script>"3>>> print(json.dumps({"bad": s}))4{"bad": "</script><script>alert(document.location)</script>"}Jinja has a function that avoids this in jinja2.utils.htmlsafe_json_dumps() - the (simplified) implementation looks like this:
1def htmlsafe_json_dumps(obj):2 return (3 json.dumps(obj)4 .replace("<", "\\u003c")5 .replace(">", "\\u003e")6 .replace("&", "\\u0026")7 .replace("'", "\\u0027")8 )Which outputs like this:
1>>> print(htmlsafe_json_dumps({"bad": s}))2{"bad": "\u003c/script\u003e\u003cscript\u003ealert(document.location)\u003c/script\u003e"} Safely outputting JSON
https://mranv.pages.dev/posts/safely-outputting-json/